Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6db37d99f8e42794…

MALICIOUS

Office (OLE) / .DOC

207.0 KB Created: 2020-12-21 13:57:00 Authoring application: Microsoft Office Word
MD5: 82e542474ef2811ccf270c93cabc6029 SHA-1: e410245d87c0bfb16ef4b9e61f443fd60850ae7c SHA-256: 6db37d99f8e42794a1b2b3ea7d38a4f44e4d4cbb25ae7a1472529b00cc029862
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is detected as a downloader by ClamAV and exhibits high-severity heuristics related to Windows Script Host and VBA auto-execution for payload retrieval. Although VBA macros could not be extracted, the presence of embedded URLs and the detection signature suggest the document's primary purpose is to lure the user into executing a malicious script that downloads a second-stage payload from one of the listed URLs. The document body appears to be corrupted or heavily obfuscated, preventing a more detailed analysis of its specific lure.

Heuristics 5

  • ClamAV: Doc.Downloader.ChristmasGift-9845923-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.ChristmasGift-9845923-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.greenvalues.eu/wp-includes/js/tinymce/themes/inlite/zfaFOUkR.php
    • https://mpcleaning.com.ng/YVS0KGG5msvU.php
    • https://negara-store.ir/wp-content/plugins/megamenu-pro/fonts/custom/iXNYO5PrDIC2k.php
    • https://www.dreamworldjdp.com/wp-content/plugins/woocommerce/src/Admin/MSBWURQmgP4.php
    • https://chainreactiondev.com/the-view/node_modules/node-gyp/test/fixtures/z8PrxpafJjjePCX.php
    • http://carlos-anigstein.com.ar/wp-content/themes/twentyfourteen/genericons/font/c79ZiUwf.php
    • https://GesDoc.fda.com.pe/wp-content/plugins/members/addons/members-acf-integration/mvIU5C4mp.php
    • https://ok-one.biz/Pe3WeU5Vlvg.php
    • http://www.yadfilmes.com/Lr2amfb5v2f.php
    • http://www.lakolc.org/wp-content/themes/Divi/css/tinymce-skin/2KZttGzpEH.php
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://www.w3.org/1999/XSL/Transform

Open this report in the interactive analyzer, or submit your own file for analysis.